FBI Issues Play Ransomware Security Advisory & Mitigation Steps to Take Now

The FBI, CISA, and the Australian Cyber Security Center have issued an advisory about the Play ransomware group also known as Playcrypt, which has impacted businesses and critical infrastructure in North America, South America, and Europe.

Play ransomware was one of the most active ransomware groups in 2024, the advisory said.

As of May, the group had breached more than 900 organizations in multiple countries since its launch in June 2022, according to the FBI. In Australia, the first Play ransomware incident was reported in April 2023, with the most recent incident occurring in November of that year.

Multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, have exploited three vulnerabilities, including CVE-2024-57727, in the remote monitoring and management (RMM) tool SimpleHelp. This has enabled operators to conduct remote code execution on numerous US-based organizations since mid-January.

SEE: Will Massive Security Glossary From Microsoft, Google, CrowdStrike, Palo Alto Improve Collaboration?

Ransomware group’s methods include using double extortion

The Play ransomware group gains initial access to victim networks by abusing valid accounts, likely purchased on the dark web, and exploiting public-facing applications, according to the advisory.

Play ransomware actors have used external-facing services such as Remote Desktop Protocol (RDP) and virtual private networks (VPNs) for initial access. Once they are inside a network, the ransomware actors search for unsecured credentials and use the Mimikatz credential dumper to gain access to domain administrator accounts.

SEE: TechRepublic Exclusive: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure’

The Play ransomware group is designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. The actors send a unique @gmx.de or @web[.]d email, and there is no initial ransom demand or payment instructions in the ransom notes; instead, victims are instructed to contact the threat actors via email.

“A portion of victims are contacted via telephone and are threatened with the release of the stolen data and encouraged to pay the ransom,” the advisory says.

The actors employ a double extortion model, encrypting systems after exfiltrating data.

Steps organizations should take now to reduce cyber threat risks

To mitigate cyber threats from Play ransomware, the advisory stressed that organizations take the following actions:

• Prioritize remediating known exploited vulnerabilities.
• Enable multifactor authentication (MFA) for all services, particularly for webmail, VPN, and accounts that access critical systems.
• Regularly patch and update software and applications to their latest versions and conduct regular vulnerability assessments.

Authorities urge organizations to stay vigilant, patch systems promptly, and strengthen access controls to reduce risk.

Keep your entertainment at your fingertips with the Amazon Fire TV Stick 4K! Enjoy streaming in 4K Ultra HD with access to top services like Netflix, Prime Video, Disney+, and more. With an easy-to-use interface and voice remote, it’s the ultimate streaming device, now at only $21.99 — that’s 56% off!

With a 4.7/5-star rating from 43,582 reviews and 10K+ bought in the past month, it’s a top choice for home entertainment! Buy Now for $21.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!